CVE-2022-21722

NameCVE-2022-21722
DescriptionPJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2962-1, DLA-3194-1, DSA-5285-1
Debian Bugs1014998

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)buster1:16.2.1~dfsg-1+deb10u2vulnerable
buster (security)1:16.28.0~dfsg-0+deb10u1fixed
bullseye1:16.16.1~dfsg-1+deb11u1vulnerable
bullseye (security)1:16.28.0~dfsg-0+deb11u1fixed
bookworm, sid1:20.0.0~dfsg+~cs6.12.40431414-2fixed
ring (PTS)buster20190215.1.f152c98~ds1-1+deb10u1vulnerable
sid, bullseye20210112.2.b757bac~ds1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcestretch(not affected)
asterisksourcebuster1:16.28.0~dfsg-0+deb10u1DLA-3194-1
asterisksourcebullseye1:16.28.0~dfsg-0+deb11u1DSA-5285-1
asterisksource(unstable)1:18.12.0~dfsg+~cs6.12.40431413-1
pjprojectsourcestretch2.5.5~dfsg-6+deb9u3DLA-2962-1
pjprojectsource(unstable)(unfixed)
ringsource(unstable)(unfixed)1014998

Notes

[stretch] - asterisk <not-affected> (Vulnerable code not present)
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a

Search for package or bug name: Reporting problems